The vulnerability is an improper neutralization of input during web page generation, specifically a stored Cross‑Site Scripting flaw identified as CWE‑79. When an attacker injects malicious script into the plugin’s data, that script is later rendered on the site and executed in the context of the browser. An attacker could use this to steal credentials, deface the site, or redirect visitors to malicious sites, thereby compromising confidentiality and integrity of site data and potentially leading to user‑facing denial of service by overwhelming the browser with malicious payloads.

The fault affects the WebCodingPlace Responsive Posts Carousel Pro WordPress plugin for all released versions up to and including 15.2. Any WordPress installation that has this plugin, regardless of the specific minor build within that range, is vulnerable.

The CVSS score of 6.5 indicates a medium‑to‑high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Likely attack vectors involve an attacker accessing the plugin’s administrative interface or any input field that stores data in the database; malicious code injected there is persisted and executed when the page is served to users. The impact depends on the privileges the victim browser session holds, but any user who views the affected page could be targeted.